FBI Cybersecurity Expert Abagnale: Equifax 'Sloppiness' Caused Massive Breach

Frank Abagnale, an FBI cybersecurity specialist and identity fraud expert, told CRN that the massive breach at credit reporting agency Equifax is a simple case of a company failing to patch and update critical infrastructure.

"The breach was caused because Equifax didn't do what they were supposed to do," said Abagnale, who has consulted with the FBI on most of the major cybersecurity breaches in the last 15 years including Equifax. "They didn't update their technology. They didn't fix their patches. Their sloppiness caused a hacker to access the data. So they were negligent."

[Related: 'Catch Me If You Can' FBI Security Superstar Abagnale: Federal Government Is The Easiest Target For Cybercriminals]

Equifax, for its part, has blamed what it has called a "U.S. website application vulnerability" for the breach of 145 million consumers personal information and also the breach of the credit card numbers for approximately 209,000 US consumers.

Sponsored post

The breach resulted in what the credit monitoring company has called certain dispute documents with personal information of 182,000 US consumers.

Abagnale said for a company the size of Equifax not to "be keeping their technology up to date is absurd."

In response to Abagnale's criticism, Equifax told CRN that it has been "transparent and comprehensive" in its reporting on the scope of the breach.

"We continue to remain focused on strengthening security," the company said in the statement provided to CRN. "We have taken a number of steps to improve our data security infrastructure such as hardening our networks, changing our procedures to require ’closed loop’ confirmation when software patches are applied, rolling out new vulnerability scanning tools, and increasing accountability mechanisms for our security and IT teams. Our mission is to rebuild trust with consumers."

Abagnale, the teenage check forger turned FBI agent who was popularized in the film "Catch Me If You Can," called the Equifax breach the worst he has ever seen. "This is your name, social security number, date of birth," said Abagnale. "If I can become you it is only limited to my imagination what I can do as you."

Equifax has said the breach occurred from mid-May through July 2017. "In those two or three months that the hacker was in those systems they should have caught that," said Abagnale, confirming he was consulted on the breach by the FBI. "But they didn't. Again it was their negligence that caused that breach to occur. Now you have a lot of people who have had their identities stolen."

Abagnale said he expects the final number of Americans impacted by the breach will rise significantly. "Companies always come in with a low number first and eventually you find out it is a lot higher than that," he said.

Douglas Grosfield, CEO of Five Nines IT, a Kitchener, Ontario, strategic service provider who had his own personal credit information stolen as a result of the Equifax breach, said the credit monitoring service "betrayed the trust" of customers by not securing data.

"Because of Equifax's negligence I had to cancel my credit card and get a new one," said Grosfield. "When someone is paying you for a service and gives you their credit card information and you don't take steps to protect that information you are betraying their trust and doing them a disservice."

Grosfield's response to the measures Equifax took in response to the breach. "That is something they should have been doing all along. The barn door is open and the horses are long gone."\
All of the measures that Equifax took in wake of the breach are basic "IT 101" steps that should have been in place prior to the breach, he said.

Grosfield said he agrees wholeheartedly with Abagnale that the root of the problem is the failings of people that did not take proper precautions. "The human beings behind the technology are always the source of these issues," he said. "Social engineering or the bad guys taking advantage of the failure of employees- is the most rapidly growing threat vector we have to deal with in cybersecurity today," he said.

Five Nines, for its part, is using KnowBe4- a security awareness training tool- to educate customers on how to avoid cybersecurity breaches. "Every company should be using products like KnowBe4," he said. "What it does is teach employees how to become a human firewall. The overwhelming majority of breaches happen because people are not doing what they should be doing."

Abagnale, for his part, said the one thing he has learned in 15 years of consulting on major cybersecurity breaches is that every breach occurs because somebody in that company "did something they weren't supposed to do or somebody in that company failed to do something" that they were supposed to do.

"Hackers do not cause breaches," said Abagnale. "People do. All hackers do is look for a weak point."